Password Cracking and Sniffing • Agenda ! ! ! ! !

Storing Passwords on the system Password Cracking on Windows and Linux Defenses against Password cracking Sniffing Defenses against Sniffing

ECE 4883 - Internetwork Security

1

Cracking Passwords • Passwords that can be guessed easily are a problem • Lots of tools available to figure out passwords • L0phtcrack windows password cracker • “John the Ripper” Unix password cracker • Default passwords remaining on a system are a typical vulnerability ECE 4883 - Internetwork Security

2

Password storage • Password files have passwords stored in a hashed or encrypted form • Hash algorithm example is message digest 4 (MD4) • Encrypted algorithm example is Data Encryption Standard (DES) • When you use your password, it is hashed or encrypted and then compared to the stored value • Crackers use a downloaded local copy of password file on their own machine

ECE 4883 - Internetwork Security

3

Storing Passwords • Systems have a file with all hashed/encrypted passwords ! Windows – SAM (Security Accounts Manager) database ! UNIX - /etc/passwd or /etc/shadow

• Access to these files can make it easy for a hacker to break in

ECE 4883 - Internetwork Security

4

Windows Passwords • Security Accounts Manager (SAM) has two versions for each password • LanMan (LM) password version for backward compatibility with windows workgroups • NT Hash – cryptographic hash for windows NT/2000 (Uses MD4) • SAM file is in \WINNT\system32\config\ directory which is a binary file that is hard to read • Back up copy stored in \WINNT\repair

ECE 4883 - Internetwork Security

5

Using Passwords • System has a hashed/encrypted version of the password stored in a file • On login attempt– ! system hashes/encrypts the password typed in by using for example crypt() function in linux ! Compares hashed/encrypted value to stored hashed/encrypted value ! Idea behind password cracking is to get a copy of the hashed/encrypted passwords and then make guesses, hash/encrypt the guess and compare ECE 4883 - Internetwork Security

6

Password Guessing • Based on Dictionary • Brute Force – Guess every possible combination of characters • Hybrid – Use dictionary but add characters to dictionary entries

ECE 4883 - Internetwork Security

7

Password Cracking • Dictionary Attack ! ! ! ! !

Hackers steal a copy of the stored password file Guess a password (may use a dictionary) Find hash/encrypted value of the guess Compare hash to entries from stored file Continue this till success or out of options for password guesses.

ECE 4883 - Internetwork Security

8

Password retrieval on Windows • Sniff the network for passwords being transmitted • From Administrator’s emergency repair disk • From back-up directory

ECE 4883 - Internetwork Security

9

Password Cracking on Windows • L0phtCrack – lc4 (Windows) ! Available at [email protected]/research/lc/ ! Password Auditing and Recovery Application ! Default English dictionary 50,000 words ! Does “hybrid” attacks ! Our free trial version does not allow brute force (for $350 can purchase with that capability) ! Works on weaker LanMan (LM) as well as NT hashes ! Can sniff a network for LanMan hashed passwords ! Can download from a local machine or remote computer the hashed password file

ECE 4883 - Internetwork Security

10

L0phtCrack (lc4) • Some statistics (from the website) ! L0phtCrack obtained 18% of the passwords in 10 minutes ! 90% of the passwords were recovered within 48 hours on a Pentium II/300 ! The Administrator and most Domain Admin passwords were cracked

ECE 4883 - Internetwork Security

11

ECE 4883 - Internetwork Security

12

Password Cracking on UNIX • • • • • • • •

John the Ripper Available at http://www.openwall.com/john/ Supports six hashing schemes including XP Old Unix used /etc/passwd to store passwords Password is stored after cryptographically altered Various algorithms (hash/encrypted) used by various Unix platforms /etc/password is readable by everyone Some Unix store in a shadow password file thus /etc/passwd does not contain the passwords since they are instead in /etc/shadow or /etc/secure, only root can access these files • If shadow file used, must have root to copy

ECE 4883 - Internetwork Security

13

Password retrieval on Linux • List of login names and usernames in /etc/passwd • List of encrypted passwords in /etc/shadow • Only /etc/shadow is enough to crack the passwords. • Having both files makes it easier

ECE 4883 - Internetwork Security

14

John the Ripper • Combine information from /etc/passwd and /etc/shadow into one file • Use this file as input for John the Ripper • John can create guesses by ! Using built-in dictionary ! Using account information ! Using brute-force guessing algorithm ECE 4883 - Internetwork Security

15

John the Ripper • Scrambling used for each guess • When a password is cracked, result displayed on screen • During execution of this tool, hitting any key will give current guess and status • Password complexity determines time needed for cracking them ECE 4883 - Internetwork Security

16

Defenses against Password Cracking • • • • • • •

Select good passwords (not dictionary based) Change regularly Use tools to prevent easy passwords Use password cracking tests against own systems Protect system back ups that have password files Unix: activate password shadowing Windows: disable weaker LM authentication if no windows 95/98 machines on network ECE 4883 - Internetwork Security

17

Agenda "Storing Passwords on the system "Password Cracking on Windows and Linux "Defenses against Password cracking • Sniffing • Defenses against Sniffing

ECE 4883 - Internetwork Security

18

Sniffing • Collect information being transmitted on the network • Attacker must be either on source, destination or intermediate network • Sniffed information can be stored/logged

ECE 4883 - Internetwork Security

19

Sniffing traditional LANS • Traditional networks ! Broadcast medium – easy to sniff

attacker

Data A

Data A

H U B

Data A Data A

ECE 4883 - Internetwork Security

20

Sniffing Switched LANS • Switched LANS ! Difficult to do, but possible ! ARP Cache Poisoning - Attacker must inject packets into the network to redirect traffic ! Attacker lies about the MAC address intercepts traffic – ARP tells which MAC address corresponds to which IP address

ECE 4883 - Internetwork Security

21

Sniffing Switched LANS attacker

Data A

S W I T C H

Data A

ECE 4883 - Internetwork Security

22

Sniffit • Easy to use sniffer • Available at: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

• Can be run in interactive mode • Can be used to sniff traditional LANS • For Switched LANS, must be used with ARP Cache Poisoning tools ECE 4883 - Internetwork Security

23

Sniffit • Conditions to use (from the Sniffit web page): ! You should be ROOT on your machine ! The machine has to be connected to a network ! You have to be allowed to sniff (ethical condition)

ECE 4883 - Internetwork Security

24

Sniffit – Interactive mode • All TCP traffic can be viewed in main screen • Traffic from each system and port to each system and port can be seen • Has option to see data in a particular stream flow

ECE 4883 - Internetwork Security

25

ethereal • From http://www.ethereal.com/ • Ethereal is a free network protocol analyzer for Unix and Windows. • It allows you to examine data from a live network or from a capture file on disk. • You can interactively browse the capture data, viewing summary and detail information for each packet. • Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. ECE 4883 - Internetwork Security

Source: www.ethereal.com

26

Source: www.ethereal.com ECE 4883 - Internetwork Security

27

Defense against Sniffing • • • • •

Transmit encrypted data across a network Don’t use telnet, rsh,rlogin Use Secure Shell Use VPNs to encrypt data between systems Use switches instead of hubs – makes sniffing more difficult

ECE 4883 - Internetwork Security

28

Defense against Sniffing • For critical systems ! MAC level filtering on switches ! Restrict MAC addresses that can send and receive data on specific switch plugs ! Hard code ARP tables on critical systems

ECE 4883 - Internetwork Security

29